> Is this something to be concerned about?
Yes. You might want to have a look at the perms (and existence) of /var/log/lastlog.
By "checking the system logs", I'm sure you meant last and lastb? Take a peek at
/etc/passwd, and see if everything there looks normal.
Also, just to be on the safe side, I would advise running an md5sum on /bin/login,
who, w, last, ps, & netstat and comparing the results with that on a reference
machine, perhaps a pristine install never connected to the wire. On redhat boxes,
rpm -V is a great tool as well, if you can be certain that the rpm database hasn't
been tampered with.
Have you considered deploying Tripwire?
On Wed, 04 Oct 2000, you wrote:
> Something strange happened on a few of our Redhat 6.0 (kernel
> 2.2.12-20) boxes this morning. When I went to login to the machines via
> a telnet session I didn't get any 'Last Login' reported by the shell.
> It's been a few days since I last accessed the machines, and scanning
> the system logs doesn't show any logins by anyone at all since my
> previous session (this is normal for these machines). I've done a
> cursory check for new or modified files (using GNU find) and nothing
> looks out of the ordinary. The machines haven't been restarted and all
> the log files seem to be intact...
>
> Is this something to be concerned about?
>
> k.
>
> -----------------
> Kris Boutilier
> Systems Administrator
> Sunshine Coast Regional District
Received on Oct 05 2000
Intro
